Patch "media: fix airspy usb probe error path" has been added to the 4.6-stable tree

All of lore.kernel.org
 help / color / mirror / Atom feed

* Patch "media: fix airspy usb probe error path" has been added to the 4.6-stable tree
@ 2016-08-08 14:23 gregkh
  0 siblings, 0 replies; only message in thread
From: gregkh @ 2016-08-08 14:23 UTC (permalink / raw)
  To: james, gregkh, keescook, torvalds; +Cc: stable, stable-commits


This is a note to let you know that I've just added the patch titled

    media: fix airspy usb probe error path

to the 4.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     media-fix-airspy-usb-probe-error-path.patch
and it can be found in the queue-4.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From aa93d1fee85c890a34f2510a310e55ee76a27848 Mon Sep 17 00:00:00 2001
From: James Patrick-Evans <james@jmp-e.com>
Date: Fri, 15 Jul 2016 16:40:45 +0100
Subject: media: fix airspy usb probe error path

From: James Patrick-Evans <james@jmp-e.com>

commit aa93d1fee85c890a34f2510a310e55ee76a27848 upstream.

Fix a memory leak on probe error of the airspy usb device driver.

The problem is triggered when more than 64 usb devices register with
v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV.

The memory leak is caused by the probe function of the airspy driver
mishandeling errors and not freeing the corresponding control structures
when an error occours registering the device to v4l2 core.

A badusb device can emulate 64 of these devices, and then through
continual emulated connect/disconnect of the 65th device, cause the
kernel to run out of RAM and crash the kernel, thus causing a local DOS
vulnerability.

Fixes CVE-2016-5400

Signed-off-by: James Patrick-Evans <james@jmp-e.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/airspy/airspy.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/media/usb/airspy/airspy.c
+++ b/drivers/media/usb/airspy/airspy.c
@@ -1072,7 +1072,7 @@ static int airspy_probe(struct usb_inter
 	if (ret) {
 		dev_err(s->dev, "Failed to register as video device (%d)\n",
 				ret);
-		goto err_unregister_v4l2_dev;
+		goto err_free_controls;
 	}
 	dev_info(s->dev, "Registered as %s\n",
 			video_device_node_name(&s->vdev));
@@ -1081,7 +1081,6 @@ static int airspy_probe(struct usb_inter
 
 err_free_controls:
 	v4l2_ctrl_handler_free(&s->hdl);
-err_unregister_v4l2_dev:
 	v4l2_device_unregister(&s->v4l2_dev);
 err_free_mem:
 	kfree(s);


Patches currently in stable-queue which might be from james@jmp-e.com are

queue-4.6/media-fix-airspy-usb-probe-error-path.patch

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2016-08-08 14:23 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-08-08 14:23 Patch "media: fix airspy usb probe error path" has been added to the 4.6-stable tree gregkh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.